Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

GitHub Hit By Largest DDoS Attack Ever Recorded at 1.35 Tbps

GitHub was a victim of a Distributed Denial of Service attack that uses mis-configured memcached servers to amplify attack traffic. The good news though is that the attack was mitigated inside of 8 minutes.

WEBINAR:On-Demand

GitHub reported on March 1 that it was the victim of a Distributed Denial of Service (DDoS) attack that peaked at 1.35 Tbps (Terabits per second), making it the largest DDoS attack that has been publicly reported to date.

The attack is part of the ongoing memcached amplification attacks that were first publicly reported by multiple service providers on Feb. 27. CloudFlare had initially reported that it saw peak attacks of 260 Gbps from the attack, while Arbor Networks reported attacks of up to 500 Gbps. Those numbers have all grown, culminating in the massive attack that hit GitHub on Feb. 28.

"Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack," GitHub noted in an incident report on the attack. "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints."

Further reading

The attack came from mis-configured memcached servers that were amplifying traffic toward Akamai. Memcached is a widely used open-source tool for distributed memory object caching. It is typically deployed alongside databases as a way to help distribute processing loads and improve query response time.

GitHub reported that after it first identified the memcached DDoS against its infrastructure it moved its traffic over to Akamai to help deal with the volumetric attack. By 17:30 UTC, four minutes after moving traffic to Akamai and eight minutes after the attack began, GitHub said that the attack was mitigated. There was a second attack spike that came in at 18:00 UTC of 400 Gbps that was also mitigated by the Akamai edge.

"Mitigation was in place globally across the Akamai Prolexic Routed platform prior to the attack event," Chad Seaman, Senior Engineer, Security Intelligence Response Team at Akamai, told eWEEK. "The 8 minutes was the amount of time it took from the first signs of the attack on the customer's networks to when the affected customer was able to route onto mitigation services, ending the attack impact."

The largest previous attack ever mitigated by Akamai was the one against blogger Brian Kreb in 2016 which came in at 628 Gbps and was attributed to the Mirai Internet of Things (IoT) botnet. It's currently not entirely clear who is behind the attack on GitHub, though Akamai has some ideas on where the traffic is coming from.

"It came from all over the world, though our Frankfurt scrubbing center was hit the hardest, which is typically indicative of Eastern Europe activity," Seaman said.

Though GitHub is the hardest hit target so far for the memcached DDoS attack, other service providers are also reporting significant volumes of attack traffic. Hardik Modi, Sr. Director of NETSCOUT Arbor's Security Engineering and Response Team said that Arbor observed attacks greater than 700Gbps using the memcached reflection/amplification technique.

"Our observation is that this has been operationalized in booter-stresser services," Modi said.

Booter-stresser services provide DDoS for hire capabilities to attackers. Modi added that the amplification factors that can be achieved from the memcached attack mean that attackers don't need a large botnet of servers to participate. While GitHub is the highest profile target impacted by the memcached DDoS, Modi said that Arbor is seeing the memcached amplification attack used against multiple targets, including residential broadband networks.

"Now that the first large enterprise targets have been announced with corresponding sizes, it stands to bear that these attacks will be used against other high profile targets," Modi said. "At the same time, the operational community is responding quickly to rate-limit the resulting DDoS traffic and in some cases, block the exploitation attempts as well."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.